|Publication number||US7784097 B1|
|Application number||US 10/996,574|
|Publication date||Aug 24, 2010|
|Filing date||Nov 24, 2004|
|Priority date||Nov 24, 2004|
|Also published as||US8667588, US20100281542|
|Publication number||10996574, 996574, US 7784097 B1, US 7784097B1, US-B1-7784097, US7784097 B1, US7784097B1|
|Inventors||Salvatore J. Stolfo, Angelos D. Keromytis, Vishal Misra, Michael E. LOCASTO, Janak Parekh|
|Original Assignee||The Trustees Of Columbia University In The City Of New York|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (10), Non-Patent Citations (18), Referenced by (99), Classifications (16), Legal Events (2)|
|External Links: USPTO, USPTO Assignment, Espacenet|
The present invention relates to computer network security. More particularly, the present invention relates to systems and methods for correlating and distributing intrusion alert information among collaborating computer systems.
Computer viruses, worms, trojans, hackers, malicious executables, network application errors, misuse of computer systems, scans, probes, etc. (collectively hereinafter “threats”) are constant menace to all owners, operators, and users of computers connected to public computer networks (such as the Internet) and/or private networks (such as corporate computer networks). These owners, operators, and users (collectively hereinafter “users”) include universities, businesses, governments, non-profit organizations, individuals, families, etc. (collectively hereinafter “entities”). These threats are not just an inconvenience to these owners, operators, and users, but also a major economic drain. For example, it has been reported that computer threats caused $13 billion worth of economic losses in the year 2003.
Although many computers are protected by firewalls and antivirus software, these preventative measures are not always adequate. For example, a recently launched worm took advantage of a known vulnerability in a popular firewall technology the day after the public became aware of the vulnerability. Because of the rapid launch of the worm, the patch necessary to correct the vulnerability could not be deployed in time to prevent the attack. Similarly, most antivirus software relies on updates to that software so that signatures of known viruses can be utilized to recognize threats. In the case of a “zero-day” threat (e.g., a threat that has just been launched), most computer systems are completely vulnerable because no known patch or signature update has yet been made available.
Like many non-computer attacks, computer attacks are usually preceded by reconnaissance activity. For example, prior to launching a worm, it may be useful for the nefarious computer user or hacker to identify computers, particular ports, and their associated services subject to a target vulnerability. Because a scan is more likely to go unnoticed, or be ignored, than an attack, the hacker is able to identify a large number of potential targets without detection. Then, when an adequate number of targets have been identified, the hacker can launch the worm against all of the identified targets simultaneously rather than attacking the targets as they are found during scanning. In this way, the hacker can cause greater damage because the distribution of the worm at first detection is likely to be widespread. When performing this reconnaissance, the hacker may scan or probe potential victims at a slow or random rate to avoid detection by the victim. In order to maximize the likelihood of quickly finding targets, the hacker may configure the scanning and probing to scan unrelated potential victims at substantially the same time, but scan related targets only infrequently.
Collaborative security systems wherein multiple systems cooperate to defend against threats may be useful in mitigating some of the exposure caused by random and infrequent scanning and probing. A problem with prior attempts at collaborative security systems, however, is that many entities are unwilling to share information regarding the identity of parties accessing their systems because of legal, public-relations, and competitive reasons. For example, a corporation may be reluctant to reveal the IP address of a suspected hacker to other corporations for fear that the suspected hacker is not in fact a hacker, but instead a valued customer.
Accordingly, it is desirable to provide new systems and methods for collaboratively detecting and defending against scans, probes, viruses, and other threats in a computer network environments.
In accordance with the present invention, systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of a threat to be detected and rapidly disseminated among collaborating systems. The alert correlator stores information related to a threat, correlates alert detections, and provides a mechanism through which threat information can be revealed to other collaborating systems. For example, in accordance with the present invention, a one-way data structure such as a bloom filter may be used to store information related to a threat and for correlating detected alerts. Because one-way data structures such as bloom filters can be written to with data and checked to determine whether specifically known data has been previously written, but cannot be read to reveal what data has been written, these structures can be provided to other collaborating systems without revealing the information contained therein. Other types of data structures that do reveal such information may also be used when appropriate. When alerts are correlated, the alert correlator may indicate a threat, and any suitable response to the threat may then be taken. For example, in response to a perceived (or actual) threat at a computer system, one or more safety processes may be initiated by the computer system. These safety processes may include, for example, computer checkpointing and/or backing up critical or otherwise selected information or data (e.g., files, settings, etc.). Additionally, for example, information about the perceived (or actual) threat may be provided to other collaborating systems. This information may include a “profile” of the attack that enables the recipient of the information to infer the intent of the attacker and respond accordingly. Moreover, upon receipt of the threat information, one or more of the collaborating systems may also initiate one or more safety processes, such as those mentioned above.
The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads. For example, the alert distributor may be used to exchange one-way data structures (e.g., bloom filters) or non-one-way data structure between collaborating systems. When such structures are received, the structures may be compared to determine whether there is a correlation of alert information between data structures. If there is, a threat may be indicated and any suitable action taken. For example, other collaborating systems may be alerted to the presence of the threat.
In one embodiment, the invention provides a method for detecting a threat to a computer that includes detecting a first intrusion attempt, detecting a second intrusion attempt, determining whether the first intrusion attempt correlates with the second intrusion attempt, and automatically initiating at least one safety process at the computer when the first intrusion attempt is determined to correlate with the second intrusion attempt.
In a second embodiment, the invention provides a method for detecting a threat to a computer that includes receiving information related to a first intrusion attempt, detecting a second intrusion attempt, determining whether the first intrusion attempt correlates with the second intrusion attempt, and automatically initiating at least one safety process by the computer if the first intrusion attempt is determined to correlate with the second intrusion attempt.
In a third embodiment, the invention provides a method for sharing threat information between at least a first computer and at least a second computer that includes detecting a threat to the first computer, indicating to the second computer that the threat has been detected, and automatically initiating at least one safety process at the second computer.
In a fourth embodiment, the invention provides a system for detecting intrusion attempts on a computer that includes an intrusion detection system that detects a first intrusion attempt and a second intrusion attempt, and an alert correlator that receives information related to the first and second intrusion attempts, that determines whether the first intrusion attempt correlates with the second intrusion attempt, and that initiates at least one safety process at the computer if the first intrusion attempt is determined to correlate with the second intrusion attempt.
Additional embodiments of the invention, its nature and various advantages, will be more apparent upon consideration of the following detailed description, taken in conjunction with the accompanying figures, in which like reference characters refer to like parts throughout, and in which:
Collaborating systems 102, 104, and 106 may be systems owned, operated, and/or used by universities, businesses, governments, non-profit organizations, families, individuals, and/or any other suitable person and/or entity. As set forth more fully in connection with
Communication network 108 may be any suitable network for facilitating communication among computers, servers, etc. For example, communication network 108 may include private computer networks, public computer networks (such as the Internet), telephone communication systems, cable television systems, satellite communication systems, wireless communication systems, any other suitable networks or systems, and/or any combination of such networks and/or systems.
Malicious/compromised computer 110 may be any computer, server or other suitable device for launching a computer threat such as a virus, worm, trojan, etc. The owner of malicious/compromised computer 110 may be any university, business, government, non-profit organization, family, individual, and/or any other suitable person and/or entity. The owner of computer 110 may not be aware of what operations computer 110 is performing or may not be in control of computer 110. Computer 110 may be acting under the control of another computer or autonomously based upon a previous computer attack which infected computer 110 with a virus, worm, trojan, etc. Alternatively, computer 110 may be operated by an individual or organization with nefarious intent. Although only one malicious/compromised computer 110 is shown, any number of computers 110 may be present in system 100.
Communication links 112 may be any suitable mechanism for connecting collaborating systems 102, 104, and 106 and malicious/compromised computer 110 to communication network 108. Links 112 may be any suitable wired or wireless communication link, such as a T1 or T3 connection, a cable modem connection, a digital subscriber line connection, a WiFi or 802.11(a), (b), or (g) connection, a dial-up connection and/or any other suitable communication link. Alternatively, communication links 112 may be omitted from system 100 when appropriate, in which case systems 102, 104, and/or 106 and/or computer 110 may be connected directly to network 108.
Alert correlator 210 and alert distributor 212 may be any suitable hardware and/or software for performing the functions described herein. For example, correlator 210 and distributor 212 may be implemented on personal computer executing the Linux operating system, a database, and software to implement the corresponding correlation and distribution functions described herein. As illustrated in
As known in the art, the sub-systems 200-212 of system 102 may be implemented as separate devices or may be implement as functions being performed in one device, or any number of devices.
As shown in
By selecting multiple hashes of the same input and using multiple hash-bit-selection and hash-bit-rearrangement techniques, the bloom filters are more resilient to noise and data saturation. Although particular hash selection, hash-bit-selection, and hash-bit-rearrangement techniques are shown in
In certain embodiments of the present invention, it may be desirable to use different bloom filters for storing information for different purposes. For example, as shown in table 600 of
Although setting and resetting of bits in the bloom filters may be used to indicate the presence or non-presence of a threat, in certain embodiments of the invention, instead of setting and resetting bits, larger data values may also be used in the bloom filters to store information. For example, when no threat is present, the value may still be set to zero, but when a threat is present, the value may be set to the size of a datagram associated with the threat, the port number being targeted by the threat, a measure of the “stealthiness” of the threat, and/or any other suitable information. By properly encoding the values being stored, any suitable data or combination of data may be stored in a bloom filter. Obviously, using bit values in the bloom filter has the advantage of keeping the data structure smaller that if other size values were stored, thereby speeding-up data distribution.
In this way, the present invention not only correlates attacks, but it also develops a “profile” of the attacks. This profile information may be useful to a collaborating system in inferring the intent of an attack and determining how to respond to a detected attack. For example, if a collaborating system is operated by a bank, and an attack has been detected from an IP address on other banks, but no other collaborating systems, the bank may respond by blocking all traffic from a corresponding IP address at its firewall, contact suitable authorities, etc. Whereas with an attack that is being detected by a wide variety of types collaborating systems (e.g., banks, universities, and governments), the bank may simply decide to filter traffic based upon a signature of the threat.
If the alert is determined to have been found in a bloom filter, at step 750, process 700 branches to step 760 where any suitable response to an attack may be taken. For example, at step 760, process 700 may attempt to defend its local system (e.g., system 102) from the perceived (or actual) attack by: alerting a system administrator of an attack; shutting-down firewall 200; blocking all traffic from the corresponding IP address; generating a firewall filter rule based on a datagram of the threat, a signature of the threat, an IP address of threat, the destination port targeted, and/or the datagram length associated with the threat; and/or performing any other suitable action known in the art. Moreover, in response to the perceived (or actual) attack, for example, one or more safety processes may be automatically initiated by local system 102. These safety processes may include, for example, checkpointing using any suitable technique as known in the art in order to prevent or at least mitigate the effects of the attack. For example, a checkpoint state may be established for local system 102, whereby critical or otherwise selected information or data (e.g., files, job data, settings, a MICROSOFT WINDOWS Registry, or file system, etc.) necessary to enable recovery from that checkpoint state are saved (e.g., on disk). Thus, in the event of one or more faults or corruption of system 102 (e.g., caused by the attack), such information may be restored, and system integrity may be recovered such that some or all changes subsequent to the last checkpoint state may be effectively undone. In this manner, for example, if local system 102 is automatically checkpointed upon notification of a perceived or actual threat (and prior to corruption), then local system 102 either in its entirety, or, for example, certain programs and/or processes, can be “rolled back” to the checkpoint state before the corruption occurred. According to various embodiments of the invention, checkpointing of local system 102 may also be used, for example, to enable re-execution of various programs and/or processes from the checkpoint state (rather than having to re-start these programs and/or processes).
One form of checkpointing that may be used according to the invention involves the use of the “System Restore” function currently offered by the WINDOWS XP operating system by MICROSOFT. For example, at step 760, process 700 may attempt to defend local system 102 by automatically creating one or more “Restore Points” in response to the perceived (or actual) threat. In this case, if local system 102 experiences one or more significant problems due to the attack (e.g., a system failure), System Restore can be used to go back a previous system state (corresponding to a Restore Point), thereby restoring system functionality.
According to various other embodiments of the invention, in response to a perceived (or actual) threat, local system 102 may create a “backup” of selected information or data (e.g., files, job data, settings, a MICROSOFT WINDOWS Registry, or file system, etc.). For example, in response to the perceived (or actual) threat, such information or data can be automatically copied or moved to another, potentially more secure location to be later retrieved if necessary. For example, the information or data to be backed up may be copied or moved to a disk, another computer system, another region (e.g., logical partition) of the computer system that is believed to be at risk, etc. Moreover, it will be understood that the process of backing up certain information or data may be initiated in place of, or in conjunction with, one or more other safety processes (e.g., checkpointing).
At step 760, process 700 may also attempt to help other collaborating systems (e.g., systems 104 and/or 106) defend against the perceived (or actual) attack by alerting other collaborating systems 104 and 106 of the attack. For example, process 700 may provide systems 104 and/or 106 with a firewall filter rule and/or information about the attack, such as the kind of attack (e.g., scanning, probing, etc.), a datagram of the threat, a signature of the threat, an IP address of the attack, the destination port/service targeted, the length of the datagram associated with the threat, the types of other collaborating systems that have detected the threat, a measure of the “stealthiness” of the threat, and/or any other profile information related to the threat that may be useful in preventing, detecting, responding to, and/mitigating the effects of the attack. Moreover, based on a notification or recommendation from system 102, and/or based on attack alert information from system 102, one or both of systems 104 and 106 may automatically institute one or more safety processes such as described above in connection with system 104. For example, one or both of systems 104 and 106 may automatically initiate checkpointing and/or backup processes, such as described above, in order to prevent or at least mitigate the effects of the attack. It will be appreciated that initiating one or more safety processes such as described in response to a information received from system 102 about a perceived (or actual) threat will be especially useful for systems 104 and 106, which may not yet have been subject to the threat.
If the alert is determined not to have been found in a bloom filter, at step 750, process 700 branches to step 770 where the alert is entered into the selected bloom filters. An example of such a sub-process is described below in connection with
As shown in
As stated above, an alert distributor 212 may be used to distribute alert information, such as bloom filters, between collaborating systems. Although any suitable data distribution mechanism, such as a peer-to-peer network or a central server for storage and retrieval, may be used in accordance with the present invention, in order to securely and efficiently distribute this information, the distribution mechanism illustrated in
Another circular buffer 1050 having as many positions as there are circular buffers 1010-1040 may be used to indicate the rotation rate for buffers 1010-1040. For example, as shown, circular buffer 1050 has four positions corresponding to the four circular buffers 1010-1040, and these positions are filled with numbers 1, 2, 4, and 8 indicating that buffers 1010, 1020, 1030, and 1040 will advance one position every 1, 2, 4, and 8 units time, respectively. Obviously, any suitable rotation rates could be used in accordance with the present invention. For example, buffer 1040 may be advanced one position every ten units time, buffer 1030 may be advanced one position every nine units time, buffer 1020 may be advanced one position every eight units time, and buffer 1010 may be advanced one position every seven units time. Preferably, the rotation schedule is difficult to guess or predict. Each time the least frequently rotating buffer (e.g., buffer 1040) has completed a full rotation and returned to its original order, circular buffer 1050 will advance one position to cause the next buffer (e.g., buffer 1010) to become the least frequently rotating buffer.
This distribution process is illustrated as a process 1200 in
To further protect the security and anonymity of the data being exchanged by the collaborating systems, a central authority may operate a trusted proxy server or other data exchange mechanism that is used to exchange data between the systems. In this way, no collaborating system would be able to determine the IP address of a collaborating system from which it is receiving information. In such a case, however, the central authority may assign and the collaborating systems may know the category or type of system (e.g., a bank, university, government, etc.) with which it is exchanging data. This category may be based on SIC codes or any other suitable mechanism. In this way, the systems would be better able to evaluate a profile of a threat and thereby infer the intent of the threat. The central authority may also assign encryption keys used by the collaborating systems. Furthermore, the central authority may provide the same alert correlation and alert distribution functions described herein as being performed by the collaborating systems. In such a case, it may not be necessary to hide data (e.g., IP addresses of possible threats) being provided to the central authority by each collaborating system because the authority is trusted to maintain that data in confidence.
In order to prevent false alerts due to bloom filter saturation, the filters may be periodically cleared. Alternatively, instead of using bits with a value of one to represent specific alerts, the bloom filters may use a time value representative of the date or time that an alert has been detected. Then, over time, the value may be updated when a correlating alert is detected or the value may be set to zero when no correlating alert is detected. When suitable, the time value may be combined with other data in the bloom filter and decoded as appropriate.
Although the present invention has been described and illustrated in the foregoing exemplary embodiments, it is understood that the present disclosure has been made only by way of example, and that numerous changes in the details of implementation of the invention may be made without departing from the spirit and scope of the invention. Moreover, it will be understood that certain features which are well known in the art have not been described in order to avoid complication of the subject matter of the present invention. The present invention is limited only by the claims which follow.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5621889 *||Jun 8, 1994||Apr 15, 1997||Alcatel Alsthom Compagnie Generale D'electricite||Facility for detecting intruders and suspect callers in a computer installation and a security system including such a facility|
|US5812763 *||Jan 21, 1993||Sep 22, 1998||Digital Equipment Corporation||Expert system having a plurality of security inspectors for detecting security flaws in a computer system|
|US5919258 *||Feb 6, 1997||Jul 6, 1999||Hitachi, Ltd.||Security system and method for computers connected to network|
|US6016553 *||Jun 26, 1998||Jan 18, 2000||Wild File, Inc.||Method, software and apparatus for saving, using and recovering data|
|US6279113 *||Jun 4, 1998||Aug 21, 2001||Internet Tools, Inc.||Dynamic signature inspection-based network intrusion detection|
|US6460055 *||Dec 16, 1999||Oct 1, 2002||Livevault Corporation||Systems and methods for backing up data files|
|US6802025 *||Jun 30, 2000||Oct 5, 2004||Microsoft Corporation||Restoration of a computer to a previous working state|
|US6804667 *||Nov 30, 1999||Oct 12, 2004||Ncr Corporation||Filter for checking for duplicate entries in database|
|US7146421 *||Oct 19, 2001||Dec 5, 2006||Stonesoft Oy||Handling state information in a network element cluster|
|US20020023227 *||Aug 10, 2001||Feb 21, 2002||Sheymov Victor I.||Systems and methods for distributed network protection|
|1||*||"Windows XP System Restore," Melissa Wise, Microsoft TechNet, Windows & .NET Magazine, Dec. 4, 2002.|
|2||Cuppens, F. and Miege, A., 2002, "Alert Correlation in a Cooperative Intrusion Detection Framework", ONERA Centre de Toulouse.|
|3||Cuppens, F. and Ortalo, R., 2000, "Lambda: A Language to Model a Database for Detection of Attacks", ONERA Centre de Toulouse.|
|4||Dain, O. and Cunningham, R.K., 2001, "Fusing a Heterogeneous Alert Stream into Scenarios", Massachusetts Institute of Technology.|
|5||Distributed Intrusion Detection System, 2004, Dshield.org.|
|6||Huang, M.Y and Wicks, T.M., 1998, "A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis", Applied Research and Technology, The Boeing Company.|
|7||King, S.T. and Chen, P.M., 2003, "Backtracking Intrusions", University of Michigan, Department of Electrical Engineering and Computer Science.|
|8||Kodialam M. and Lakshman T.V., 2003, "Detecting Network Intrusions via Sampling: A Game Theoretic Approach", Bell Laboratories, Lucent Technologies.|
|9||Krügel, C., et al., 2001, "Decentralized Event Correlation for Intrusion Detection" Technical University Vienna.|
|10||Lincoln, P., et al., 2004, "Privacy-Preserving Sharing and Correlation of Security Alerts", SRI International.|
|11||Ning, P., et al., 2002, "Constructing Attack Scenarios Through Correlation of Intrusion Alerts", NC State University Department of Computer Science.|
|12||Qin, X. and Wenke, L., 2003, "Statistical Causality Analysis of INFOSEC Alert Data", College of Computing Georgia Institute of Technology.|
|13||Robertson, S., et al., 2003, "Surveillance Detection in High Bandwidth Environments".|
|14||Roesch, M., 1999, "SNORT-Lightweight Intrusion Detection for Networks", Proceedings of LISA '99: 13th Systems Administration Conference, XIII pp. 229-238.|
|15||Soneren, A.C., et al., 2001, "Single-Packet IP Traceback".|
|16||Wang, K. and Stolfo, S.J., 2004, "Anomalous Payload-based Network Intrusion Detection", Columbia University, Computer Science Department.|
|17||Yang, J., et al., 2000, "Cards: A distributed System for Detecting Coordinated Attacks", George Mason University, Center for Secure Information Systems.|
|18||Yegneswaran, V., et al., 2004, "Global Intrusion Detection in the Domino Overlay System", University of Wisconsin, Computer Sciences Department.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US8171553||Apr 20, 2006||May 1, 2012||Fireeye, Inc.||Heuristic based capture with replay to virtual machine|
|US8204984||Nov 30, 2007||Jun 19, 2012||Fireeye, Inc.||Systems and methods for detecting encrypted bot command and control communication channels|
|US8291499||Mar 16, 2012||Oct 16, 2012||Fireeye, Inc.||Policy based capture with replay to virtual machine|
|US8375444||Jul 28, 2006||Feb 12, 2013||Fireeye, Inc.||Dynamic signature creation and enforcement|
|US8528086||Mar 31, 2005||Sep 3, 2013||Fireeye, Inc.||System and method of detecting computer worms|
|US8539582||Mar 12, 2007||Sep 17, 2013||Fireeye, Inc.||Malware containment and security analysis on connection|
|US8549638||Jun 13, 2005||Oct 1, 2013||Fireeye, Inc.||System and method of containing computer worms|
|US8561177||Nov 30, 2007||Oct 15, 2013||Fireeye, Inc.||Systems and methods for detecting communication channels of bots|
|US8566928||Oct 3, 2006||Oct 22, 2013||Georgia Tech Research Corporation||Method and system for detecting and responding to attacking networks|
|US8566946||Mar 12, 2007||Oct 22, 2013||Fireeye, Inc.||Malware containment on connection|
|US8578497||Jan 5, 2011||Nov 5, 2013||Damballa, Inc.||Method and system for detecting malware|
|US8584239||Jun 19, 2006||Nov 12, 2013||Fireeye, Inc.||Virtual machine with dynamic data flow analysis|
|US8631489||Jan 25, 2012||Jan 14, 2014||Damballa, Inc.||Method and system for detecting malicious domain names at an upper DNS hierarchy|
|US8635696||Jun 28, 2013||Jan 21, 2014||Fireeye, Inc.||System and method of detecting time-delayed malicious traffic|
|US8683591||Feb 9, 2011||Mar 25, 2014||Nant Holdings Ip, Llc||Vector-based anomaly detection|
|US8769373||Oct 5, 2010||Jul 1, 2014||Cleon L. Rogers, JR.||Method of identifying and protecting the integrity of a set of source data|
|US8776229||Aug 28, 2013||Jul 8, 2014||Fireeye, Inc.||System and method of detecting malicious traffic while reducing false positives|
|US8793787||Jan 23, 2009||Jul 29, 2014||Fireeye, Inc.||Detecting malicious network content using virtual environment components|
|US8826438||Jan 18, 2011||Sep 2, 2014||Damballa, Inc.||Method and system for network-based detecting of malware from behavioral clustering|
|US8832829||Sep 30, 2009||Sep 9, 2014||Fireeye, Inc.||Network-based binary file extraction and analysis for malware detection|
|US8850571||Nov 3, 2008||Sep 30, 2014||Fireeye, Inc.||Systems and methods for detecting malicious network content|
|US8881282||Mar 12, 2007||Nov 4, 2014||Fireeye, Inc.||Systems and methods for malware attack detection and identification|
|US8898788||Mar 12, 2007||Nov 25, 2014||Fireeye, Inc.||Systems and methods for malware attack prevention|
|US8935779||Jan 13, 2012||Jan 13, 2015||Fireeye, Inc.||Network-based binary file extraction and analysis for malware detection|
|US8959097 *||Mar 12, 2010||Feb 17, 2015||International Business Machines Corporation||Privacy-preserving method for skimming of data from a collaborative infrastructure|
|US8984638||Nov 12, 2013||Mar 17, 2015||Fireeye, Inc.||System and method for analyzing suspicious network data|
|US8990939||Jun 24, 2013||Mar 24, 2015||Fireeye, Inc.||Systems and methods for scheduling analysis of network content for malware|
|US8990944||Feb 23, 2013||Mar 24, 2015||Fireeye, Inc.||Systems and methods for automatically detecting backdoors|
|US8997219||Jan 21, 2011||Mar 31, 2015||Fireeye, Inc.||Systems and methods for detecting malicious PDF network content|
|US9009822||Feb 23, 2013||Apr 14, 2015||Fireeye, Inc.||Framework for multi-phase analysis of mobile applications|
|US9009823||Feb 23, 2013||Apr 14, 2015||Fireeye, Inc.||Framework for efficient security coverage of mobile software applications installed on mobile devices|
|US9027135||Feb 21, 2007||May 5, 2015||Fireeye, Inc.||Prospective client identification using malware attack detection|
|US9071638||Oct 21, 2013||Jun 30, 2015||Fireeye, Inc.||System and method for malware containment|
|US9104867||Mar 13, 2013||Aug 11, 2015||Fireeye, Inc.||Malicious content analysis using simulated user interaction without user involvement|
|US9106694||Apr 18, 2011||Aug 11, 2015||Fireeye, Inc.||Electronic message analysis for malware detection|
|US9118715||May 10, 2012||Aug 25, 2015||Fireeye, Inc.||Systems and methods for detecting malicious PDF network content|
|US9143517||Jan 31, 2013||Sep 22, 2015||Hewlett-Packard Development Company, L.P.||Threat exchange information protection|
|US9159035||Feb 23, 2013||Oct 13, 2015||Fireeye, Inc.||Framework for computer application analysis of sensitive information tracking|
|US9166994||Aug 30, 2013||Oct 20, 2015||Damballa, Inc.||Automation discovery to identify malicious activity|
|US9171160||Sep 30, 2013||Oct 27, 2015||Fireeye, Inc.||Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses|
|US9176843||Feb 23, 2013||Nov 3, 2015||Fireeye, Inc.||Framework for efficient security coverage of mobile software applications|
|US9189627||Nov 21, 2013||Nov 17, 2015||Fireeye, Inc.||System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection|
|US9195829||Feb 23, 2013||Nov 24, 2015||Fireeye, Inc.||User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications|
|US9197658||Feb 14, 2014||Nov 24, 2015||Nant Holdings Ip, Llc||Vector-based anomaly detection|
|US9197664||Feb 11, 2015||Nov 24, 2015||Fire Eye, Inc.||System and method for malware containment|
|US9223972||Mar 31, 2014||Dec 29, 2015||Fireeye, Inc.||Dynamically remote tuning of a malware content detection system|
|US9225740||Sep 24, 2014||Dec 29, 2015||Fireeye, Inc.||Framework for iterative analysis of mobile software applications|
|US9241010||Mar 20, 2014||Jan 19, 2016||Fireeye, Inc.||System and method for network behavior detection|
|US9251343||Mar 15, 2013||Feb 2, 2016||Fireeye, Inc.||Detecting bootkits resident on compromised computers|
|US9262635||Feb 5, 2014||Feb 16, 2016||Fireeye, Inc.||Detection efficacy of virtual machine-based analysis with application specific events|
|US9275348 *||Jan 31, 2013||Mar 1, 2016||Hewlett Packard Enterprise Development Lp||Identifying participants for collaboration in a threat exchange community|
|US9282109||Jun 30, 2014||Mar 8, 2016||Fireeye, Inc.||System and method for analyzing packets|
|US9294501||Sep 30, 2013||Mar 22, 2016||Fireeye, Inc.||Fuzzy hash of behavioral results|
|US9300686||Jul 18, 2013||Mar 29, 2016||Fireeye, Inc.||System and method for detecting malicious links in electronic messages|
|US9306960||Aug 19, 2013||Apr 5, 2016||Fireeye, Inc.||Systems and methods for unauthorized activity defense|
|US9306969||Aug 30, 2013||Apr 5, 2016||Georgia Tech Research Corporation||Method and systems for detecting compromised networks and/or computers|
|US9306974||Feb 11, 2015||Apr 5, 2016||Fireeye, Inc.||System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits|
|US9311479||Mar 14, 2013||Apr 12, 2016||Fireeye, Inc.||Correlation and consolidation of analytic data for holistic view of a malware attack|
|US9355247||Mar 13, 2013||May 31, 2016||Fireeye, Inc.||File extraction from memory dump for malicious content analysis|
|US9356944||Jun 28, 2013||May 31, 2016||Fireeye, Inc.||System and method for detecting malicious traffic using a virtual machine configured with a select software environment|
|US9363280||Aug 22, 2014||Jun 7, 2016||Fireeye, Inc.||System and method of detecting delivery of malware using cross-customer data|
|US9367681||Feb 23, 2013||Jun 14, 2016||Fireeye, Inc.||Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application|
|US9398028||Jun 26, 2014||Jul 19, 2016||Fireeye, Inc.||System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers|
|US9430646||Mar 14, 2013||Aug 30, 2016||Fireeye, Inc.||Distributed systems and methods for automatically detecting unknown bots and botnets|
|US9432389||Mar 31, 2014||Aug 30, 2016||Fireeye, Inc.||System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object|
|US9438613||Mar 30, 2015||Sep 6, 2016||Fireeye, Inc.||Dynamic content activation for automated analysis of embedded objects|
|US9438622||Mar 30, 2015||Sep 6, 2016||Fireeye, Inc.||Systems and methods for analyzing malicious PDF network content|
|US9438623||Jun 20, 2014||Sep 6, 2016||Fireeye, Inc.||Computer exploit detection using heap spray pattern matching|
|US9456001||Jan 31, 2013||Sep 27, 2016||Hewlett Packard Enterprise Development Lp||Attack notification|
|US9483644||Mar 31, 2015||Nov 1, 2016||Fireeye, Inc.||Methods for detecting file altering malware in VM based analysis|
|US9495180||May 10, 2013||Nov 15, 2016||Fireeye, Inc.||Optimized resource allocation for virtual machines within a malware content detection system|
|US9516057||Apr 4, 2016||Dec 6, 2016||Fireeye, Inc.||Systems and methods for computer worm defense|
|US9516058||Aug 9, 2011||Dec 6, 2016||Damballa, Inc.||Method and system for determining whether domain names are legitimate or malicious|
|US9519782||Feb 24, 2012||Dec 13, 2016||Fireeye, Inc.||Detecting malicious network content|
|US9525699||Sep 30, 2013||Dec 20, 2016||Damballa, Inc.||Method and system for detecting malware|
|US9536091||Jun 24, 2013||Jan 3, 2017||Fireeye, Inc.||System and method for detecting time-bomb malware|
|US9560059||Nov 16, 2015||Jan 31, 2017||Fireeye, Inc.||System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection|
|US9565202||Mar 13, 2013||Feb 7, 2017||Fireeye, Inc.||System and method for detecting exfiltration content|
|US9589135||Sep 29, 2014||Mar 7, 2017||Fireeye, Inc.||Exploit detection of malware and malware families|
|US9591015||Mar 28, 2014||Mar 7, 2017||Fireeye, Inc.||System and method for offloading packet processing and static analysis operations|
|US9591020||Feb 25, 2014||Mar 7, 2017||Fireeye, Inc.||System and method for signature generation|
|US9594904||Apr 23, 2015||Mar 14, 2017||Fireeye, Inc.||Detecting malware based on reflection|
|US9594905||Oct 12, 2015||Mar 14, 2017||Fireeye, Inc.||Framework for efficient security coverage of mobile software applications using machine learning|
|US9594912||Jun 20, 2014||Mar 14, 2017||Fireeye, Inc.||Return-oriented programming detection|
|US9609007||Jun 6, 2016||Mar 28, 2017||Fireeye, Inc.||System and method of detecting delivery of malware based on indicators of compromise from different sources|
|US9626509||Mar 13, 2013||Apr 18, 2017||Fireeye, Inc.||Malicious content analysis with multi-version application support within single operating environment|
|US9628498||Oct 11, 2013||Apr 18, 2017||Fireeye, Inc.||System and method for bot detection|
|US9628507||Sep 30, 2013||Apr 18, 2017||Fireeye, Inc.||Advanced persistent threat (APT) detection center|
|US9635039||May 15, 2013||Apr 25, 2017||Fireeye, Inc.||Classifying sets of malicious indicators for detecting command and control communications associated with malware|
|US9641546||Apr 11, 2016||May 2, 2017||Fireeye, Inc.||Electronic device for aggregation, correlation and consolidation of analysis attributes|
|US20070250930 *||Jun 19, 2006||Oct 25, 2007||Ashar Aziz||Virtual machine with dynamic data flow analysis|
|US20080005782 *||Apr 20, 2006||Jan 3, 2008||Ashar Aziz||Heuristic based capture with replay to virtual machine|
|US20080028463 *||Oct 3, 2006||Jan 31, 2008||Damballa, Inc.||Method and system for detecting and responding to attacking networks|
|US20100037314 *||Aug 10, 2009||Feb 11, 2010||Perdisci Roberto||Method and system for detecting malicious and/or botnet-related domain names|
|US20110099633 *||Jun 13, 2005||Apr 28, 2011||NetForts, Inc.||System and method of containing computer worms|
|US20110167495 *||Jan 5, 2011||Jul 7, 2011||Antonakakis Emmanouil||Method and system for detecting malware|
|US20110225200 *||Mar 12, 2010||Sep 15, 2011||International Business Machines Corporation||Privacy-preserving method for skimming of data from a collaborative infrastructure|
|US20130111105 *||Oct 31, 2011||May 2, 2013||Antonio Lain||Non-volatile data structure manager and methods of managing non-volatile data structures|
|US20150373040 *||Jan 31, 2013||Dec 24, 2015||Hewlett-Packard Development Company, L.P.||Sharing information|
|U.S. Classification||726/23, 380/59, 713/188, 713/187, 715/736, 709/227|
|International Classification||G06F15/16, G06F12/16, G06F11/30, B41K3/38, G06F12/14, G08B23/00, G06F11/00, G06F15/177|
|Mar 25, 2010||AS||Assignment|
Owner name: THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:STOLFO, SALVATORE J;KEROMYTIS, ANGELOS D;MISRA, VISHAL;AND OTHERS;SIGNING DATES FROM 20090722 TO 20100325;REEL/FRAME:024137/0689
|Jan 15, 2014||FPAY||Fee payment|
Year of fee payment: 4